Commit: 32df09b2416a6961704eca0fe73534c8c4e715b2 Author: Ray Molenkamp Date: Thu Jul 14 12:18:35 2022 -0600 Branches: blender-v3.2-release https://developer.blender.org/rB32df09b2416a6961704eca0fe73534c8c4e715b2
Fix T99705: fix integer overflow in thumbnail extractor It was smart enough to check if the buffer had the right size but neglected to cast to a 64 bit value so it overflowed. Differential Revision: https://developer.blender.org/D15457 Reviewed By: brecht =================================================================== M source/blender/blendthumb/src/blendthumb_extract.cc =================================================================== diff --git a/source/blender/blendthumb/src/blendthumb_extract.cc b/source/blender/blendthumb/src/blendthumb_extract.cc index de1f50dfdce..369da559fc8 100644 --- a/source/blender/blendthumb/src/blendthumb_extract.cc +++ b/source/blender/blendthumb/src/blendthumb_extract.cc @@ -134,7 +134,8 @@ static eThumbStatus blendthumb_extract_from_file_impl(FileReader *file, /* Verify that image dimensions and data size make sense. */ size_t data_size = block_size - 8; - const size_t expected_size = thumb->width * thumb->height * 4; + const uint64_t expected_size = static_cast<uint64_t>(thumb->width) * + static_cast<uint64_t>(thumb->height) * 4; if (thumb->width < 0 || thumb->height < 0 || data_size != expected_size) { return BT_INVALID_THUMB; } _______________________________________________ Bf-blender-cvs mailing list Bf-blender-cvs@blender.org List details, subscription details or unsubscribe: https://lists.blender.org/mailman/listinfo/bf-blender-cvs